Internal audit report outlining the results of the Review of Transport Canada's Procurement Practices for Selected Vendors.
On this page
- Purpose
- Background information
- Objective
- Scope
- Approach
- Criteria
- Summary of key observations
- Recommendations
- Annex A – Contract sample overview
- Annex B – Detailed observations by criteria
- Annex C – Statement of conformance
Purpose
Transport Canada's (TC) Internal Audit (IA) team was asked to conduct a targeted review of the department's procurement practices related to specific vendors, following the allegation of potential corruption and extortion in the federal government contracting practices raised at Standing Committee on Government Operations and Estimates (OGGO) meetings in October and November 2023.
This review was not on the Risk-Based Audit and Evaluation Plan (RBAEP) for this fiscal year and was added at the request of senior management.
To produce timely and relevant results, the review was designed to be completed within six weeks from late October to December 2023.
Background information
Policies and guidance materials
All procurement activities in the Government of Canada (GC) are subject to the Directive on the Management of Procurement and the rescinded Contracting Policy prior to May 13, 2022.
- The policies help ensure the GC procures goods and services that meet its requirements to support the delivery of programs and services to Canadians, while ensuring best value to the Crown.
- To help achieve this objective, the GC procurement activities are expected to:
- be effectively managed to enable operational outcomes and best value to the Crown.
- incorporate risk, life cycle cost and performance information in the decision-making.
- establish effective governance and oversight mechanisms.
Organizations follow their own policy and guidance procedures, in addition to Treasury Board (TB) contracting policies and directives, for guidance on their organization's procurement activities.
Public Services and Procurement Canada's (PSPC) Supply Manual also contains additional guidance procedures for the GC procurement process. Departments and agencies are encouraged to use it for general knowledge on procurement activities.
Main offices involved
For the contracts within the scope of this review, two main offices were involved in the management of the procurement activities within TC. Both offices worked closely with the contracting officers in PSPC. The two offices were:
- TC Procurement within Corporate Services, responsible for managing the majority of the procurement activities within the department.
- The procurement team within the Service and Digital Group (SDG), responsible for managing and monitoring the Task Authorizations against the Task Based Informatics Professional Services (TBIPS) contracts.
Key context
During the review period from late October 2023 to early December 2023, both the SDG and TC procurement teams were also tasked with responding to a number of urgent OGGO inquiries and documentation requests while maintaining their operational capacity. The added responsibilities may have impacted their ability to respond to our requests.
In December 2023, PSPC removed all departments' delegated authority to issue Task Authorizations and communicated new Task Authorization guidance procedures, which required immediate changes to the services provided by the SDG procurement team to the IT branches in the department.
On December 15, TC Procurement and SDG procurement teams organized an information session with the Responsibility Centre (RC) community in TC to explain PSPC's new guidance, which aims to improve procurement controls for contracts and Task Authorizations. The new guidance enhances controls in many areas including the preparation of Statements of Work (SOWs) with details on deliverables and outcomes, security verification, and approvals.
Objective
The review provides an independent assessment of TC's procurement practices related to the vendors implicated in the allegations raised at the October and November 2023 OGGO proceedings related to the development of the ArriveCan application. For the selected vendors, this targeted review assessed the compliance of procurement practices with government contracting policies and TC's internal contracting processes and control frameworks.
The review included procedures to identify indicators of fraud. When indicators of fraud are detected, IA shares the relevant evidence with appropriate authorities for further investigation.
Scope
The review's scope included the following three individual IT service vendors and a joint venture of two vendors, as identified in the OGGO proceedings related to development of the ArriveCan application.
Vendors included in the review:
- GC Strategies Inc.
- Dalian Enterprise Inc.
- Coradix Technology Consulting Ltd.
- Dalian Enterprises and Coradix Technology Consulting, in Joint Venture
The review included contracts and other contractual arrangements awarded to the selected vendors and joint venture by both PSPC and TC from December 2016 to September 2023. The review period was selected to align with the federal government's seven-year document retention period and to ensure the coverage of all contracts awarded to GC Strategies, identified in the OGGO proceedings as the primary contractor of interest.
A sample of contracts, Task Authorizations and invoices were selected for examination based on a sampling strategy that considered the risk factors identified in the OGGO proceedings.
Samples included in the review:
- 8 contracts with a total awarded value of $43,291,431 and a total expenditure of $22,224,077 as of November 17, 2023. All four contracts awarded to GC Strategies Inc. were included. An overview of the contracts is in Annex A.
- 22 Task Authorizations
- 45 invoices which included all 9 invoices paid to GC Strategies
The review excluded interviews with PSPC contracting officers and contract documentation maintained by PSPC contracting authorities to avoid adding further pressure on PSPC's operational capacity given their direct involvement supporting the OGGO proceedings.
- At the time of the review, PSPC was tasked to respond to several high priority OGGO inquiries and document requests.
- Also, in December, PSPC took on additional responsibilities to process Task Authorizations after they issued new guidance procedures and removed departments' delegated authorities to issue them.
Approach
The review criteria and test procedures are based on the standard audit program developed by the Office of the Comptroller General (OCG) for a recent horizontal audit of federal government consulting contracts awarded to McKinsey & Company. The audit criteria were relevant as the horizontal audit had a similar objective.
In the planning phase of this review, IA revised the OCG audit criteria and test procedures to reflect TC's departmental processes and current context based on the specific risks factors identified in the OGGO proceedings, the results of the preliminary interviews with TC Procurement and SDG procurement teams, and recent OCG guidance on contract risk and controls (Potential Departmental Risks, Controls and Internal Audit Approaches for Government Contracting, OCG, November 2023).
Due to time constraints and the review's narrow focus, IA strictly applied the criteria and test procedures to assess compliance based on the procurement documentation on file.
Criteria
IA applied the following review criteria and sub-criteria to assess compliance with government procurement policies and regulations. Full details are presented in Annex B.
Review Criteria | Sub-Criteria Areas |
---|---|
|
|
|
|
Summary of key observations
The review identified observations related to the following four key risk areas which led to two recommendations.
- Monitoring the allocation of work to vendors for TBIPS contracts
- Amendments to Contracts and Task Authorizations
- Roles and Responsibilities of a Technical Authority (TA)
- Information Management and Supporting Documentation for Task Authorizations and Contracts
In addition, IA identified the following four risk areas that could be considered for future assurance work.
- Delivery of Services and Section 34 Certification
- Section 32 Certification
- Contract Performance
- Pro-Active Disclosure
IA also assessed the following areas and did not identify major non-compliance issues for the sampled contracts:
- The procurement process, from bid solicitation to contract award, for the sampled contracts awarded by TC.
- Departmental compliance to government requirements on Indigenous Set-Aside contracts.
- Compliance with departmental procurement controls.
Full detail of all observations by review criteria is available in Annex B.
Key observation 1
Monitoring the allocation of work to vendors for TBIPS contracts
To help ensure fairness and transparency, the contracts defined the rules for when and how to issue Task Authorizations to each vendor and required the government to ensure that the dollar value of the Task Authorizations issued to the vendors were proportionally balanced.
A process had been put in place for monitoring the fair allocation of work through Task Authorizations to vendors, but the process has not been maintained for the last few years for the four TBIPS contracts in our sample.
- Not having an effective monitoring process could lead to the risk of non-compliance to contract requirements and could lead to potential unfair practices in the allocation of work.
- To help address this risk, the SDG procurement team communicated that they have started to update the funding allocation spreadsheets and were actively exploring the Power BI dashboard tools managed by TC's Corporate Services to help improve the expenditure tracking process for Task Authorizations.
Key observation 2
Amendments to contracts and Task Authorizations
The principles of contract amendments, such as ensuring best value for the GC, clear definition of work for an amendment, and proper pre-planning to avoid unanticipated amendments, are defined in the TB Contracting Policy Footnote 1.
We found that delegation of authority was respected for all sampled contracts and Task Authorizations. However, there was a high volume of amendments with no documented rationale explaining the need for amending the original contracts or Task Authorizations.
- Creating amendments that change the length or value of contracts or Task Authorizations without a documented rationale, such as a clear description of a change in the scope of work or how the amendment is in the best interests of the government (saves money or time), does not meet TB Contracting Policy's principles for contract amendments.
- To help address this risk, in December, PSPC has communicated new guidance to departments with the objective of enhancing controls around contracts and Task Authorizations including amendments.
Key observation 3
Roles and responsibilities of a Technical Authority
We did not find any written documentation in the department that explains the specific roles and responsibilities of a TA. For the Task Authorizations against a TBIPS contract managed by SDG, there was no defined process for determining who the TA should be.
- The four TAs we interviewed had varying technical expertise and different understandings of the role of a TA. Some felt more clarity on the roles and responsibilities of a TA and written guidance would be helpful in the management of TBIPS contracts where many stakeholders are involved.
- Although it is not a mandatory policy requirement for departments to do so, it would be good practice to create written guidance to define the roles and responsibilities of the TA, project authority, and contracting authority. Some departments, such as the Department of National Defence (DND) and the Canada Border Services Agency (CBSA), have created agreements and RACI (Responsible, Accountable, Consulted, Informed) charts to clarify roles and responsibilities.
- To help address this risk, the SDG procurement team informed IA, at the time of this review, that they are preparing a process map that will clarify the roles and responsibilities of the main parties involved in the contracting process for Task Authorizations.
Key observation 4
Information management and supporting documentation for Task Authorizations and contracts
Many supporting documents for the sampled Task Authorizations could not be located within the time available for this review. Some interviewees also raised concerns over information management practices for Task Authorization documentation, such as the difficulty in finding information in the generic email inbox.
- To help address this risk, the SDG procurement team communicated that they were aware of the gap and was in the process of implementing changes to improve the existing information management processes for Task Authorizations.
Résumés and Evaluation Grids for Task Authorizations: IA reviewed the documentation on file for the 22 sample Task Authorizations which included 37 contracted resources. We were not able to find all mandatory required contract documentation, which included résumés and evaluation grids that are important documentation for demonstrating whether the contracted resource met the required qualifications.
Security Clearance: Most of the Security Requirements Checklists (SRCL) were on file for the 8 sampled contracts, but some had missing information, such as the contract number. For the 22 sampled Task Authorizations, security requirements were defined, as required; however, 16 of the 22 were missing evidence on file confirming the valid security status of the contracted resources.
- To help address this risk, PSPC has initiated their own reviews of contractor qualifications and security clearance following the OGGO proceedings. The department supported PSPC in its verifications. In December, PSPC also communicated new guidance to departments with the objective of enhancing controls around the evaluation of contractor qualifications and security clearance for Task Authorizations and contracts.
Other observations
1. Delivery of services and Section 34 certification
We found that the rates on the invoices matched the Basis of Payment in the contracts for all 45 sampled invoices.
Appropriate Section 34 approvals were provided for the invoices except for one case where the specimen card for the approver was missing and for some cases where the date of the approval was prior to the effective date of the specimen card.
For most of the 45 sampled invoices, we found some form of evidence attached for delivery of service, such as timesheets, progress reports or acceptance of deliverables by a project authority.
2. Section 32 certification
IA found most of the documentation needed to demonstrate that Section 32 authority was performed by the appropriate delegated authority for the sampled contracts and authorizations.
The existing process for accessing historical specimen cards for departed employees appeared to be time consuming. TC's Corporate Services informed us that access to specimen cards will be simplified going forward as all specimen cards are now being saved in Oracle, as part of a new process that was recently implemented.
3. Contract performance
Within the time available for this review, no documentation was found that supported the monitoring of contract performance for all 8 sampled contracts and 22 Task Authorizations, e.g., progress meeting minutes, etc.
4. Pro-Active disclosure
We found that all contracts and Task Authorizations over $10,000 were disclosed, as required, but not all the Task Authorizations amendments over $10,000 have been disclosed.
Some inconsistencies were also noted between the published information and the contract file data. TC Procurement informed us that they are now reviewing the quality of data on a quarterly basis.
Recommendations
Recommendation | Management Action Plan | Due Date |
---|---|---|
1. ADM Corporate Services, in collaboration with ADM Service and Digital Group, should re-examine and clarify the roles and responsibilities regarding the management of TBIPS contracts and Task Authorizations in consideration of the recent changes to TC's delegated authority and contracting procedures. |
|
|
2. ADM Service and Digital Group, in collaboration with ADM Corporate Services, should improve the management and the oversight of TBIPS contracts and Task Authorizations in the following areas:
|
|
|
Annex A – Contract sample overview
Contract number | Vendor | Procurement Type | Purpose of Contract | Contract Start Date | Contract End Date | Contract Amount (including taxes) | Expenditure To Date (including taxes) |
---|---|---|---|---|---|---|---|
T8080-190282 | GC STRATEGIES INC | Non-competitive call-up against a Supply Arrangement | To design and develop a framework for providing briefing materials for incoming senior departmental officials in an electronic format. | 9/6/2019 | 12/31/2019 | $24,563 | $24,563 |
T8080-190219 | GC STRATEGIES INC | Non-competitive call-up against a Supply Arrangement | To implement a prototype digital and Cloud solution for the departing employee approval process. | 9/5/2019 | 3/31/2020 | $25,000 | $25,000 |
T8080-170494 | GC STRATEGIES INC | Competitive call-up against a Supply Arrangement | To provide a Data Conversion Specialist and a Web Designer to support a pilot project investigating the feasibility of artificial intelligence to support its risk-based approach to surveillance and inspection activities specifically in its pre-load cargo manifest pilot program in the Aviation Security program. | 2/13/2018 | 5/31/2018 | $105,260 | $105,260 |
T8080-160301 | GC STRATEGIES INC | Non-competitive call-up against a Supply Arrangement | To provide one experienced Service Designer with experience in User Interaction (UX) and Interface (UI) design, to participate in the implementation of the National Plan for Online Services. |
4/28/2017 | 3/31/2018 | $24,578 | $24,578 |
T8086-172450/003/ZM | DALIAN ENTERPRISES AND CORADIX TECHNOLOGY CONSULTING, IN JOINT VENTURE | Task Based Informatics Professional Services (TBIPS) Contract | To provide resources to support TC's IM/IT operations - a number of different resource categories | 10/29/2019 | 10/28/2024 | $8,227,076 | $5,590,561 |
T8086-172450/002/ZM | CORADIX TECHNOLOGY CONSULTING LTD. | Task Based Informatics Professional Services (TBIPS) Contract | To provide resources to support TC's IM/IT operations - Workstream 7 Business Intelligence and Data Analytics Services | 8/1/2019 | 7/31/2024 | $12,119,900 | $4,706,394 |
T8086-152167/008/ZM | CORADIX TECHNOLOGY CONSULTING LTD. | Task Based Informatics Professional Services (TBIPS) Contract | To provide resources to support TC's IM/IT operations - Workstream 1 Operational Support | 12/21/2017 | 12/20/2023 | $12,408,081 | $4,867,672 |
T8086-152167/004/ZM | CORADIX TECHNOLOGY CONSULTING LTD. | Task Based Informatics Professional Services (TBIPS) Contract | To provide resources to support TC's IM/IT operations - Workstream 2 IM/IT Business Support | 12/21/2017 | 12/20/2023 | $10,356,973 | $6,880,049 |
Total | $43,291,431 | $22,224,077 |
Annex B – Detailed observations by criteria
Review Sub-Criteria | Test Procedures performed to confirm whether sub-criteria are met | Detailed Observations |
---|---|---|
Procurement process – for competitive contracts:
|
1., 2. and 3. The procurement case files contain backup documentation for the bid solicitation, evaluation, vendor communication, and contract award processes. It is the responsibility of the contracting authority to maintain the procurement case files. For this specific review sub-criteria, IA examined the contracts that were competitively tendered. Five of the 8 contracts in our sample met this criterion; however, procurement files were only available for 1 where TC was the contracting authority and maintained the procurement files. The other 4 competitive contracts in our sample were the TBIPS contracts that were awarded by PSPC. These procurement case files were maintained by PSPC as they are the contracting authority. As explained in the Scope section, IA did not schedule interviews with PSPC contracting officer or request documentation from PSPC.
|
The department has implemented a searchable database for finding active specimen cards; however, the database does not include specimen cards for some employees who have left the department. A different record keeping system (recorded in RDIMS) was being used for departed employees which appears to be time consuming to locate records. In addition, TC's Corporate Services informed us that access to specimen cards will be simplified going forward as all specimen cards are now being saved in Oracle, as part of a new process that was recently implemented. As part of the RBAEP planning IA may consider testing the effectiveness of the new process in the future.
For the 1 TBIPS contract in our sample, IA did not assess the supporting documentation for the bidding process to confirm if the vendor provided a certification on its Indigenous business status. PSPC was the contracting authority, and the review did not include documentation maintained by PSPC (more details explained in the Scope section). However, IA confirmed that the vendor, Dalian Enterprises and Coradix Technology Consulting in joint venture, was a registered vendor in the IBD. IA did not perform further test procedures as part of this review and has identified it as a potential risk area for consideration in the RBAEP. |
Procurement process – for non-competitive contracts:
|
1. and 2. In our sample of 8 contracts, 4 were awarded by TC. Three of these 4 contracts were non-competitive contracts against a supply arrangement. As TC was the contracting authority for all 3 non-competitive contracts, IA was able to obtain the procurement case files and completed its review. We also looked at the time frame and scope of the 3 non-competitive contracts to determine if there was evidence of contract splitting. |
IA reviewed all documentation in the procurement case file and found the documentation for all the required procurement steps, from preparing the SOW to contract award, compliant with government contracting policy. Each contract case file included a valid justification for sole source that met 1 of the 4 reasons listed in section 6 of the Government Contracts Regulations. In addition to the reason that the value of the contract was under $25,000 which is one of the four valid reasons for a sole-source, all 3 contracts provided additional rationale to justify the reason to sole-source.
|
Processes for Task Authorizations:
|
1., 2. and 3. IA conducted interviews with 4 TAs out of the 11 in our sample.
The team also interviewed the SDG procurement and TC procurement teams to understand the available guidance and current practices. IA examined all the required documentation for the issuance of a Task Authorization on file. We also reviewed relevant documentation pertaining to the monitoring of allocation of work. |
Although it was not a mandatory policy requirement for departments to create written guidance procedures to define the roles and responsibilities of the TA, project authority, and contracting authority, as a good practice some departments such as DND and CBSA have created agreements and RACI (Responsible, Accountable, Consulted, Informed) chartsFootnote 4. At the time of the review, the SDG procurement team informed IA that they are preparing a process map that will clarify the roles and responsibilities of the main parties involved in the contracting process for Task Authorizations.
IA reviewed the documentation on file for the 22 sample Task Authorizations which included 37 resources. We were not able to find all mandatory required contract documentation, which included résumés and evaluation grids that were important documentation for demonstrating whether the contracted resource met the required qualifications. Specifically, we found that:
The SDG procurement team confirmed that a process had been established, through the use of a funding allocation spreadsheet, to track the value of Task Authorizations to each vendor under a workstream. However, this spreadsheet has not been maintained for the last few years. Interviewees identified several possible reasons for not maintaining the tracker such as limited team capacity being tied up by managing a high volume of amendments to Task Authorizations, lack of written guidance procedures, and lack of training for the staff. IA performed some reconciliation of the funding allocation spreadsheets on file for the 4 sample TBIPS contracts by comparing the spreadsheet data to the Task Authorization data and the data from TC's corporate Oracle financial system and confirmed that there were inconsistencies. However, IA did not have enough data to perform 100% reconciliation. The current data in the spreadsheet showed that the expected allocation percentage of approximately 33% per vendor was not being respected. For example, for one of the sample contracts (for Workstream 3), the expected allocation percentage of Task Authorizations to each vendor was 33%, but the summary showed 25%, 42% and 33% to the three vendors – TPD, Coradix and SI Systems. Not having an effective monitoring process of the funding allocations to vendors could increase the risk of non-compliance to contract requirements and could also lead to potential unfair practices in the allocation of work. The funding allocation spreadsheets were also being set up for the purpose of ensuring that the cumulative value of the Task Authorizations did not exceed the total value of the contract. The SDG procurement team confirmed that the PSPC contracting authority and the vendor also maintained their own tracking. However, the information may not always be aligned. TC Procurement also confirmed that they implemented additional measures to help ensure the expenditures did not exceed the contract limit. Having different sources of tracking information could create duplication of efforts and could also increase the risk of mis-informed decisions based on outdated data. At the time of the review, the SDG procurement team expressed that they have started to update the funding allocation spreadsheets and were actively exploring the Power BI dashboard tools managed by TC's Corporate Services to help improve the expenditure tracking process for Task Authorizations. |
Contract management:
|
|
IA reviewed the contracting policy and PSPC's Supply Manual and found that rules around revisions/amendments to Task Authorizations are loose. The only written guidance we found for revisions to Task Authorizations was in PSPC's Supply Manual, which stated “the client may revise a Task Authorization that it originally authorized subject to the work being within the scope and value of the contract as well as within the client authority limit set in the contract. Any revision to the Task Authorization is subject to concurrence by the contractor. A Task Authorization revision, which will bring the Task Authorization value above the client Task Authorization limit, must be referred to the contracting officer.” TC Procurement indicated that revisions to a Task Authorization should be subject to the same principles as a contract amendment. The principles of contract amendments were defined in TB's contracting policyFootnote 5 as:
Creating amendments that change the length or value of contracts or Task Authorizations without a documented rationale, such as a clear description of a change in the scope of work or how the amendment is in the best interests of the government (saves money or time), does not meet TB's Contracting Policy's principles for contract amendments. Extending the contract with the same resource for a prolonged period of time could also increase the risk of an employer-employeerelationship and create a dependency on a small group of contracted resources with technical knowledge especially if a knowledge transfer process is not set up. As described in the Background section, in December, PSPC has also communicated new guidance to departments with the objective of enhancing controls around contract and Task Authorizations, including amendments.
IA did not perform further test procedures to examine the contract security process as part of this review. Following the OGGO proceedings, PSPC has also been asked to verify the security clearance for all past and active contracted resources with the 3 vendors, and TC submitted the names of the resources to support PSPC's verification. As described in the Background section, in December, PSPC has also communicated new guidance to departments with the objective of enhancing the controls around contract security verifications for contracts and Task Authorizations.
|
Delivery of services and Section 34: Certification authority (Section 34 of the Financial Administration Act) is performed by someone with the delegated authority and there is rigour in ensuring the delivery of services and correctness of the payment requested. |
IA examined a sample of 45 invoices and the associated supporting documentation including contracts, Task Authorizations, invoices, time sheets and financial system print screens and approval specimen cards in order to assess that:
|
Full sample – Delivery of services and Section 34 certification: We found that the rates on the invoice matched the Basis of Payment in the contracts for all 45 invoices reviewed. Appropriate Section 34 approvals were provided for the invoices except for 1 case where the specimen card for the approver was missing and for some cases where the payment was made prior to the effective date of the specimen card. In addition, we could not find evidence for delivery of service for all the invoices reviewed.
|
Pro-active disclosure of contracts: Contracts, including amendments, valued at over $10,000 meet minimum proactive disclosure requirements. |
IA examined the contracts and Task Authorizations including amendments in the full sample and compared the data on file to the published proactive disclosure records to assess if:
|
TC Procurement informed us that the information published on the pro-active disclosure website is based on the quality of data entered into Oracle by Procurement Officers in TC and TC Procurement is now reviewing the quality of data on a quarterly basis when preparing the pro-active disclosure reports. IA did not perform further testing procedures, as part of this review, to assess the pro-active disclosure process. We will share the details of the inconsistencies with TC Procurement and have noted it as a risk area for consideration in the RBAEP planning exercise for future assurance work. |
Review Sub-Criteria | Test Procedures performed to confirm whether sub-criteria are met | Detailed Observations |
---|---|---|
Procurements comply with TC's internal contracting processes and controls. | IA met with TC Procurement to identify the key departmental procurement controls that were unique to TC and determine whether they applied to the contracts in our sample. We also reviewed the documentation on file to determine compliance with departmental control processes. |
|
Annex C – Statement of conformance
This engagement conforms with the Government of Canada's Policy on Internal Audit and the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing, as supported by the results of an external assessment of Internal Audit's Quality Assurance and Improvement Program.
Chantal Roy, CIA
Chief Audit and Evaluation Executive